Risk management, strategy and analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Risk Culture: More Work Needed from Boards in Financial Services

Only 60% of chief risk officers (CROs) at global financial institutions say their boards have worked at embedding the organization’s risk culture across the enterprise, and about the same percentage say their boards have reviewed incentive compensation plans to consider alignment of risks with rewards, according to the ninth biennial “Global Financial Services Risk Management Survey” from Deloitte Touche Tohmatsu Limited (DTTL).

Edward Hida

“The survey finding means that 40% of boards at global financial services organizations have more work to do establishing and embedding the risk culture of the enterprise and promoting open discussions regarding risk,” says Edward Hida, a Deloitte Advisory partner in Deloitte & Touche LLP, and global leader, Risk & Capital Management. “This shows that focus is needed on the issue of setting the tone of risk culture at the board level,” he adds.

The survey, representing opinions from 71 financial institutions from around the world with aggregate assets of almost US$18 trillion, found that 63% of CRO respondents say their board reviews incentive compensation plans to consider alignment of risks with rewards. In addition, only about half of respondents say that it is a responsibility of their institution’s risk management program to review compensation plans to assess their impact on risk appetite and culture.

Regulators’ have been focusing on how boards communicate to their organizations the importance of risk management, governance, broader ethical standards and compensation practices, although the level of focus varies by country. In April, Mark Carney chair of the Financial Stability Board (FSB), an international body that monitors and makes recommendations about the global financial system, told G20 finance ministers and central bank governors that “the scale of misconduct in some financial institutions has risen to a level that has the potential to create systemic risks.” He specifically flagged risk governance and compensation structures as areas the FSB will be focusing on in the future as part of that broader sweep.

The survey also found that 85% of respondents report their board currently devotes more time to oversight of risk than it did two years ago. This continues a trend of ratcheting up involvement by boards in providing risk oversight, which is expected to continue.

“Regulators are looking beyond solely quantitative measures of market, credit and liquidity risk to evaluate risk programs and assess whether institutions have created a culture that encourages employees to take appropriate risks and that promotes ethical behavior more broadly,” Mr. Hida adds. “Banks are responding to the regulatory focus on culture by establishing new oversight committees, offices and policies, while also struggling to develop the right approaches to measure and assess risk culture.”

There is widespread adoption when it comes to mainline measures designed to align employee incentives with the institution’s risk management objectives, like requiring that a portion of the annual incentive be tied to overall corporate results, the use of multiple incentive plan metrics and deferred payouts linked to future performance. Relatively few respondents, however, say their institution uses other compensation practices according to the survey results. For example, 30% of respondents say their organization imposes caps on payouts and 29% establish a maximum ratio between the fixed and variable component of total remuneration for employees identified as material-risk takers. Further, 28% use individual metrics tied to the implementation of effective risk mitigation strategies, and 19% match the timing of payouts with the term of the risk. “There is every indication that the next few years will bring further regulatory change, including in the incentive compensation area—and it is likely that many of these other practices will become more widespread over time,” adds Mr. Hida.

Other survey findings include:

Operational risk—Roughly two-thirds or more of respondents say their institution was extremely or very effective in managing traditional types of operational risks, like those related to legal and tax. While those numbers should be higher given the regulators’ specific focus on such areas, far fewer respondents believe their institution was extremely effective or very effective when it came to managing risks around third parties (44%), cybersecurity (42%), data integrity (40%) and risk and capital models (37%).

Regulatory reform impacts—When asked about the impacts of regulatory reform on their institution, respondents most often cite an increased cost of compliance (87%, up from 65% in 2012). Other impacts cited often were maintaining higher capital (62% up from 54% in 2012) and adjusting certain products, lines and/or business activities (60% up from 48% in 2012).

Securing talent—The greater attention by regulators on stress testing and its expanded use by financial institutions have created a large body of required work which has made it more difficult to secure professionals with the skills and expertise required. Eighty-eight percent of respondents say attracting and retaining risk management professionals with the required skills is at least somewhat challenging, including 32% that considered securing talent to be “extremely challenging” or “very challenging.”

Risk technology systems—Risk data and technology continue to pose big challenges, with 48% of respondents extremely or very concerned about the ability of the technology systems at their institution to respond flexibly to ongoing regulatory change. Sixty-two percent of respondents say that risk information systems and technology infrastructure were extremely or very challenging, and 46% say the same about risk data.

About the Survey

DTTL’s ninth biennial Global Financial Services Risk Management Survey assesses the risk management programs, planned improvements and continuing challenges among global financial institutions. The ninth edition surveyed chief risk officers—or their equivalent—at 71 financial institutions that represent the major economic regions of the world—with most institutions headquartered in the United States/Canada, Europe or Asia Pacific—and a range of financial services sectors, including banks, insurers and investment managers, with aggregate assets of nearly $18 trillion. The survey was conducted from August to November 2014.

Related Deloitte Insights

Many regulatory enforcement actions to date that reference recordkeeping requirements are secondary to other rule violations, including the inability to produce records or inaccurate records being produced. However, organizations are starting to see increased interest by regulators in electronic recordkeeping requirements beyond email. Learn five key questions that broker-dealers and financial service providers may want to consider before they come under the pressures and tight time-lines of a financial operations examination.

Financial services institutions are dedicating plenty of money and technology to cyber risk management, yet many are still struggling to keep up despite several years of efforts to bolster cybersecurity capabilities. Because of the pace of attacks and the growing sophistication of threat actors, basic blocking and tackling strategies to lock down devices, systems and platforms remain a work in progress at many companies, according to a report from Deloitte that discusses balancing present and future needs, wise investing and hiring the “right” talent, among other strategies.

Views & Analysis

Many executives believe that the manufacturing sector is vulnerable to emerging and dynamic cyber risks, given the industry’s pace of technology change due to innovations in shop floor automation and connected products, according to a study by Deloitte and The Manufacturers Alliance for Productivity and Innovation (MAPI). Learn about escalation frameworks and the type of leadership and talent that are needed to address cyber risks effectively, as well as questions boards can ask to determine how cyber risks are being detected, managed and mitigated.

For the travel, hospitality and leisure sector, external shocks—such as terrorist attacks and the Zika epidemic—are impacting consumer travel decisions and reshaping their travel preferences. At the same time, the sector is increasingly vulnerable to internal risks such as food safety and cybersecurity. Understand how risk management in the sector is being balanced with the need to innovate, and what boards of directors are doing to become more engaged in risk oversight.

The anti-bribery management standards issued by the Geneva-based International Organization for Standardization (ISO) provide automotive companies, as well as global organizations in other sectors, with new guidance and tools that could potentially help mitigate the risks and costs of noncompliance with anti-bribery laws. Learn about the global nature of the new ISO guidance, as well as other considerations for any organization considering incorporating it into their ethics and compliance program.

Editor's Choice

Boards and C-suite executives overwhelmingly see risk as having an important role in value creation, but just 17% of respondents say they are actively using risk to drive returns, according to a new global survey from Deloitte. The survey also found that senior stakeholders want chief risk officers to spend significantly more time playing the strategist role, with a majority of respondents saying their risk officers should participate more in setting the strategic direction of the company and aligning risk management strategies accordingly.

Traditionally, internal audit (IA) has focused on providing assurance with respect to known risks and the effectiveness of controls in mitigating those risks. Regulators, however, are increasingly interested in an organization’s ability to identify blind spots and other vulnerabilities that may undermine the integrity of the risk management environment, including the risk of misconduct. IA functions can play a pivotal role by substantively testing culture and identifying potential risk-related outliers that may not be visible via other means, such as supervisory frameworks, escalations, compliance assessment and testing, and previous audits.

Identifying and managing strategic risks can be a difficult task. To add to the challenge, many companies have traditionally separated their risk and strategy functions and think of risk as more of a compliance responsibility rather than a dynamic tool for value creation, business performance management and growth. However, companies that align strategy and risk can be better served to allow for a process of “strategic resiliency,” which involves anticipating, knowing and acting on risks when introducing or executing new strategies as a way of increasing the chances of success in spite of uncertainty.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.